Security

The honest claim ceiling

We publish the full ceiling because the honest claim is the product. No overclaim.

ClaimStatus
Per-workspace kernel isolation (Firecracker + jailer)
Signed, independently-verifiable audit chain
Hardware-rooted attestation (SEV-SNP, Azure)
Confidential agent execution (single-CVM-direct)
Operator-excluded memory encryption
Attestation-gated key release (sealed snapshots)
Per-workspace hardware isolation (nested SNP)
Guest-code measurement
KMS-hardware-bound key release
mTLS runtime↔control-plane
Intel TDX

Threat model

What the confidential tier protects against

  • A compromised cloud operator — cannot read the agent's memory (SEV-SNP encryption). Even under subpoena, they produce only encrypted data.
  • A compromised host kernel — SEV-SNP integrity protection detects tampering with the CVM's memory pages.
  • A replayed attestation — the two-layer binding means stale or replayed evidence is rejected. Only the live, hardware-anchored key can sign.

Honest ceiling

What it does NOT protect against

  • A compromised agent producing wrong outputs — Enclave solves execution-boundary safety, not agent alignment.
  • Side-channel attacks on the CVM — SEV-SNP has known side-channel limitations (cache timing). A property of the hardware, named honestly.
  • The paravisor (Azure only) — the OpenHCL paravisor is inside the measured set. TCB is larger than bare-metal but not weaker on authenticity.

Proof

Verified on Azure DCasv5 silicon

  1. 1. R1.1 nesting block confirmed empirically (/dev/kvm absent, svm = 0)
  2. 2. OpenShell sandbox spawned in-CVM
  3. 3. Command ran over the NSSH1 SSH control channel
  4. 4. Attestation evidence produced (2-layer binding)
  5. 5. CP gate released the DEK only on that evidence
  6. 6. seal→unseal restored byte-identical plaintext
Read the bring-up report →Read the full threat model →